cvelistv5 - cve-2021-36782

cve-2021-36782

Vulnerability from cvelistv5

Published

2022-09-07 08:20

Modified

2024-09-17 04:14

Severity ?

9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Summary

A Cleartext Storage of Sensitive Information vulnerability in SUSE Rancher allows authenticated Cluster Owners, Cluster Members, Project Owners, Project Members and User Base to use the Kubernetes API to retrieve plaintext version of sensitive data. This issue affects: SUSE Rancher Rancher versions prior to 2.5.16; Rancher versions prior to 2.6.7.

References

URL	Tags
meissner@suse.de	https://bugzilla.suse.com/show_bug.cgi?id=1193988	Exploit, Issue Tracking, Mitigation, Vendor Advisory
meissner@suse.de	https://github.com/rancher/rancher/security/advisories/GHSA-g7j7-h4q8-8w2f	Exploit, Mitigation, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://bugzilla.suse.com/show_bug.cgi?id=1193988	Exploit, Issue Tracking, Mitigation, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/rancher/rancher/security/advisories/GHSA-g7j7-h4q8-8w2f	Exploit, Mitigation, Third Party Advisory

Impacted products

Vendor

Product

Version

▼

SUSE

Rancher

Version: Rancher < 2.5.16

SUSE

Rancher

Version: Rancher < 2.6.7

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-04T01:01:59.069Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://bugzilla.suse.com/show_bug.cgi?id=1193988",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://github.com/rancher/rancher/security/advisories/GHSA-g7j7-h4q8-8w2f",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "Rancher",
               vendor: "SUSE",
               versions: [
                  {
                     lessThan: "2.5.16",
                     status: "affected",
                     version: "Rancher",
                     versionType: "custom",
                  },
               ],
            },
            {
               product: "Rancher",
               vendor: "SUSE",
               versions: [
                  {
                     lessThan: "2.6.7",
                     status: "affected",
                     version: "Rancher",
                     versionType: "custom",
                  },
               ],
            },
         ],
         credits: [
            {
               lang: "en",
               value: "Florian Struck (from Continum AG) and Marco Stuurman (from Shock Media B.V.)",
            },
         ],
         datePublic: "2022-08-19T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "A Cleartext Storage of Sensitive Information vulnerability in SUSE Rancher allows authenticated Cluster Owners, Cluster Members, Project Owners, Project Members and User Base to use the Kubernetes API to retrieve plaintext version of sensitive data. This issue affects: SUSE Rancher Rancher versions prior to 2.5.16; Rancher versions prior to 2.6.7.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 9.9,
                  baseSeverity: "CRITICAL",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "LOW",
                  scope: "CHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                  version: "3.1",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-312",
                     description: "CWE-312: Cleartext Storage of Sensitive Information",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2022-09-07T08:20:15",
            orgId: "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
            shortName: "suse",
         },
         references: [
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://bugzilla.suse.com/show_bug.cgi?id=1193988",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://github.com/rancher/rancher/security/advisories/GHSA-g7j7-h4q8-8w2f",
            },
         ],
         source: {
            advisory: "https://bugzilla.suse.com/show_bug.cgi?id=1193988",
            defect: [
               "1193988",
            ],
            discovery: "EXTERNAL",
         },
         title: "Rancher: Plaintext storage and exposure of credentials in Rancher API and cluster.management.cattle.io object",
         x_generator: {
            engine: "Vulnogram 0.0.9",
         },
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "security@suse.com",
               DATE_PUBLIC: "2022-08-19T00:00:00.000Z",
               ID: "CVE-2021-36782",
               STATE: "PUBLIC",
               TITLE: "Rancher: Plaintext storage and exposure of credentials in Rancher API and cluster.management.cattle.io object",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "Rancher",
                                 version: {
                                    version_data: [
                                       {
                                          version_affected: "<",
                                          version_name: "Rancher",
                                          version_value: "2.5.16",
                                       },
                                    ],
                                 },
                              },
                              {
                                 product_name: "Rancher",
                                 version: {
                                    version_data: [
                                       {
                                          version_affected: "<",
                                          version_name: "Rancher",
                                          version_value: "2.6.7",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "SUSE",
                     },
                  ],
               },
            },
            credit: [
               {
                  lang: "eng",
                  value: "Florian Struck (from Continum AG) and Marco Stuurman (from Shock Media B.V.)",
               },
            ],
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "A Cleartext Storage of Sensitive Information vulnerability in SUSE Rancher allows authenticated Cluster Owners, Cluster Members, Project Owners, Project Members and User Base to use the Kubernetes API to retrieve plaintext version of sensitive data. This issue affects: SUSE Rancher Rancher versions prior to 2.5.16; Rancher versions prior to 2.6.7.",
                  },
               ],
            },
            generator: {
               engine: "Vulnogram 0.0.9",
            },
            impact: {
               cvss: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 9.9,
                  baseSeverity: "CRITICAL",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "LOW",
                  scope: "CHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                  version: "3.1",
               },
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "CWE-312: Cleartext Storage of Sensitive Information",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://bugzilla.suse.com/show_bug.cgi?id=1193988",
                     refsource: "CONFIRM",
                     url: "https://bugzilla.suse.com/show_bug.cgi?id=1193988",
                  },
                  {
                     name: "https://github.com/rancher/rancher/security/advisories/GHSA-g7j7-h4q8-8w2f",
                     refsource: "CONFIRM",
                     url: "https://github.com/rancher/rancher/security/advisories/GHSA-g7j7-h4q8-8w2f",
                  },
               ],
            },
            source: {
               advisory: "https://bugzilla.suse.com/show_bug.cgi?id=1193988",
               defect: [
                  "1193988",
               ],
               discovery: "EXTERNAL",
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
      assignerShortName: "suse",
      cveId: "CVE-2021-36782",
      datePublished: "2022-09-07T08:20:16.064791Z",
      dateReserved: "2021-07-19T00:00:00",
      dateUpdated: "2024-09-17T04:14:05.504Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      nvd: "{\"cve\":{\"id\":\"CVE-2021-36782\",\"sourceIdentifier\":\"meissner@suse.de\",\"published\":\"2022-09-07T09:15:08.397\",\"lastModified\":\"2024-11-21T06:14:05.320\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A Cleartext Storage of Sensitive Information vulnerability in SUSE Rancher allows authenticated Cluster Owners, Cluster Members, Project Owners, Project Members and User Base to use the Kubernetes API to retrieve plaintext version of sensitive data. This issue affects: SUSE Rancher Rancher versions prior to 2.5.16; Rancher versions prior to 2.6.7.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad de Almacenamiento en Texto sin Cifrar de Información confidencial en SUSE Rancher permite a propietarios de clústeres, los miembros de clústeres, los propietarios de proyectos, los miembros de proyectos y la base de usuarios autenticados usar la API de Kubernetes para recuperar una versión en texto sin cifrar de datos confidenciales. Este problema afecta a: SUSE Rancher versiones anteriores a 2.5.16; Rancher versiones anteriores a 2.6.7\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"meissner@suse.de\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.9,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.1,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.9,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.1,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"meissner@suse.de\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-312\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:suse:rancher:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.5.0\",\"versionEndExcluding\":\"2.5.16\",\"matchCriteriaId\":\"0F219B91-5B6F-460A-A75F-93555ECF2C1A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:suse:rancher:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.6.0\",\"versionEndExcluding\":\"2.6.7\",\"matchCriteriaId\":\"B45FC83F-E91A-4872-996E-72685FBD0AA3\"}]}]}],\"references\":[{\"url\":\"https://bugzilla.suse.com/show_bug.cgi?id=1193988\",\"source\":\"meissner@suse.de\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/rancher/rancher/security/advisories/GHSA-g7j7-h4q8-8w2f\",\"source\":\"meissner@suse.de\",\"tags\":[\"Exploit\",\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"https://bugzilla.suse.com/show_bug.cgi?id=1193988\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/rancher/rancher/security/advisories/GHSA-g7j7-h4q8-8w2f\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mitigation\",\"Third Party Advisory\"]}]}}",
   },
}

ghsa-g7j7-h4q8-8w2f

Vulnerability from github

Published

2022-09-23 18:11

Modified

2022-09-23 18:11

Severity ?

9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Summary

Rancher API and cluster.management.cattle.io object vulnerable to plaintext storage and exposure of credentials

Details

Impact

An issue was discovered in Rancher versions up to and including 2.5.15 and 2.6.6 where sensitive fields, like passwords, API keys and Rancher's service account token (used to provision clusters), were stored in plaintext directly on Kubernetes objects like Clusters, for example cluster.management.cattle.io. Anyone with read access to those objects in the Kubernetes API could retrieve the plaintext version of those sensitive data.

The exposed credentials are visible in Rancher to authenticated Cluster Owners, Cluster Members, Project Owners, Project Members and User Base on the endpoints: - /v1/management.cattle.io.catalogs - /v1/management.cattle.io.cluster - /v1/management.cattle.io.clustertemplates - /v1/management.cattle.io.notifiers - /v1/project.cattle.io.sourcecodeproviderconfig - /k8s/clusters/local/apis/management.cattle.io/v3/catalogs - /k8s/clusters/local/apis/management.cattle.io/v3/clusters - /k8s/clusters/local/apis/management.cattle.io/v3/clustertemplates - /k8s/clusters/local/apis/management.cattle.io/v3/notifiers - /k8s/clusters/local/apis/project.cattle.io/v3/sourcecodeproviderconfigs

Sensitive fields are now stripped from Clusters and other objects and moved to a Secret before the object is stored. The Secret is retrieved when the credential is needed. For objects that existed before this security fix, a one-time migration happens on startup.

Important: - The exposure of Rancher's serviceAccountToken allows any standard user to escalate its privileges to cluster administrator in Rancher. - For the exposure of credentials not related to Rancher, the final impact severity for confidentiality, integrity and availability is dependent on the permissions that the leaked credentials have on their own services.

The fields that have been addressed by this security fix are:

Notifier.SMTPConfig.Password
Notifier.WechatConfig.Secret
Notifier.DingtalkConfig.Secret
Catalog.Spec.Password
SourceCodeProviderConfig.GithubPipelineConfig.ClientSecret
SourceCodeProviderConfig.GitlabPipelineConfig.ClientSecret
SourceCodeProviderConfig.BitbucketCloudPipelineConfig.ClientSecret
SourceCodeProviderConfig.BitbucketServerPipelineConfig.PrivateKey
Cluster.Spec.RancherKubernetesEngineConfig.BackupConfig.S3BackupConfig.SecretKey
Cluster.Spec.RancherKubernetesEngineConfig.PrivateRegistries.Password
Cluster.Spec.RancherKubernetesEngineConfig.Network.WeaveNetworkProvider.Password
Cluster.Spec.RancherKubernetesEngineConfig.CloudProvider.VsphereCloudProvider.Global.Password
Cluster.Spec.RancherKubernetesEngineConfig.CloudProvider.VsphereCloudProvider.VirtualCenter.Password
Cluster.Spec.RancherKubernetesEngineConfig.CloudProvider.OpenstackCloudProvider.Global.Password
Cluster.Spec.RancherKubernetesEngineConfig.CloudProvider.AzureCloudProvider.AADClientSecret
Cluster.Spec.RancherKubernetesEngineConfig.CloudProvider.AzureCloudProvider.AADClientCertPassword
Cluster.Status.ServiceAccountToken
ClusterTemplate.Spec.ClusterConfig.RancherKubernetesEngineConfig.PrivateRegistries.Password
ClusterTemplate.Spec.ClusterConfig.RancherKubernetesEngineConfig.Network.WeaveNetworkProvider.Password
ClusterTemplate.Spec.ClusterConfig.RancherKubernetesEngineConfig.CloudProvider.VsphereCloudProvider.Global.Password
ClusterTemplate.Spec.ClusterConfig.RancherKubernetesEngineConfig.CloudProvider.VsphereCloudProvider.VirtualCenter.Password
ClusterTemplate.Spec.ClusterConfig.RancherKubernetesEngineConfig.CloudProvider.OpenstackCloudProvider.Global.Password
ClusterTemplate.Spec.ClusterConfig.RancherKubernetesEngineConfig.CloudProvider.AzureCloudProvider.AADClientSecret
ClusterTemplate.Spec.ClusterConfig.RancherKubernetesEngineConfig.CloudProvider.AzureCloudProvider.AADClientCertPassword

Patches

Patched versions include releases 2.5.16, 2.6.7 and later versions.

After upgrading to a patched version, it is important to check for the SecretsMigrated condition on Clusters, ClusterTemplates, and Catalogs to confirm when secrets have been fully migrated off of those objects and the objects scoped within them (Notifiers and SourceCodeProviderConfigs).

Workarounds

Limit access in Rancher to trusted users. There is not a direct mitigation besides upgrading to the patched Rancher versions.

Important: - It is highly advised to rotate Rancher's serviceAccountToken. This rotation is not done by the version upgrade. Please see the helper script below. - The local and downstream clusters should be checked for potential unrecognized services (pods), users and API keys. - It is recommended to review for potential leaked credentials in this scenario, that are not directly related to Rancher, and to change them if deemed necessary.

The script available in rancherlabs/support-tools/rotate-tokens repository can be used as a helper to rotate the service account token (used to provision clusters). The script requires a valid Rancher API token, kubectl access to the local cluster and the jq command.

Credits

We would like to recognize and appreciate Florian Struck (from Continum AG) and Marco Stuurman (from Shock Media B.V.) for the responsible disclosure of this security issue.

For more information

If you have any questions or comments about this advisory: * Reach out to SUSE Rancher Security team for security related inquiries. * Open an issue in Rancher repository. * Verify our support matrix and product support lifecycle.

Show details on source website

JSON

To clipboard

{
   affected: [
      {
         package: {
            ecosystem: "Go",
            name: "github.com/rancher/rancher",
         },
         ranges: [
            {
               events: [
                  {
                     introduced: "2.5.0",
                  },
                  {
                     fixed: "2.5.16",
                  },
               ],
               type: "ECOSYSTEM",
            },
         ],
      },
      {
         package: {
            ecosystem: "Go",
            name: "github.com/rancher/rancher",
         },
         ranges: [
            {
               events: [
                  {
                     introduced: "2.6.0",
                  },
                  {
                     fixed: "2.6.7",
                  },
               ],
               type: "ECOSYSTEM",
            },
         ],
      },
   ],
   aliases: [
      "CVE-2021-36782",
   ],
   database_specific: {
      cwe_ids: [
         "CWE-312",
      ],
      github_reviewed: true,
      github_reviewed_at: "2022-09-23T18:11:28Z",
      nvd_published_at: "2022-09-07T09:15:00Z",
      severity: "CRITICAL",
   },
   details: "### Impact\nAn issue was discovered in Rancher versions up to and including 2.5.15 and 2.6.6 where sensitive fields, like passwords, API keys and Rancher's service account token (used to provision clusters), were stored in plaintext directly on Kubernetes objects like `Clusters`, for example `cluster.management.cattle.io`. Anyone with read access to those objects in the Kubernetes API could retrieve the plaintext version of those sensitive data.\n\nThe exposed credentials are visible in Rancher to authenticated `Cluster Owners`, `Cluster Members`, `Project Owners`, `Project Members` and `User Base` on the endpoints:\n- `/v1/management.cattle.io.catalogs`\n- `/v1/management.cattle.io.cluster`\n- `/v1/management.cattle.io.clustertemplates`\n- `/v1/management.cattle.io.notifiers`\n- `/v1/project.cattle.io.sourcecodeproviderconfig`\n- `/k8s/clusters/local/apis/management.cattle.io/v3/catalogs`\n- `/k8s/clusters/local/apis/management.cattle.io/v3/clusters`\n-  `/k8s/clusters/local/apis/management.cattle.io/v3/clustertemplates`\n- `/k8s/clusters/local/apis/management.cattle.io/v3/notifiers`\n- `/k8s/clusters/local/apis/project.cattle.io/v3/sourcecodeproviderconfigs`\n\nSensitive fields are now stripped from `Clusters` and other objects and moved to a `Secret` before the object is stored. The `Secret` is retrieved when the credential is needed. For objects that existed before this security fix, a one-time migration happens on startup.\n\n**Important:**\n- The exposure of Rancher's `serviceAccountToken` allows any standard user to escalate its privileges to cluster administrator in Rancher.\n- For the exposure of credentials not related to Rancher, the final impact severity for confidentiality, integrity and availability is dependent on the permissions that the leaked credentials have on their own services.\n\nThe fields that have been addressed by this security fix are:\n\n- `Notifier.SMTPConfig.Password`\n- `Notifier.WechatConfig.Secret`\n- `Notifier.DingtalkConfig.Secret`\n- `Catalog.Spec.Password`\n- `SourceCodeProviderConfig.GithubPipelineConfig.ClientSecret`\n- `SourceCodeProviderConfig.GitlabPipelineConfig.ClientSecret`\n- `SourceCodeProviderConfig.BitbucketCloudPipelineConfig.ClientSecret`\n- `SourceCodeProviderConfig.BitbucketServerPipelineConfig.PrivateKey`\n- `Cluster.Spec.RancherKubernetesEngineConfig.BackupConfig.S3BackupConfig.SecretKey`\n- `Cluster.Spec.RancherKubernetesEngineConfig.PrivateRegistries.Password`\n- `Cluster.Spec.RancherKubernetesEngineConfig.Network.WeaveNetworkProvider.Password`\n- `Cluster.Spec.RancherKubernetesEngineConfig.CloudProvider.VsphereCloudProvider.Global.Password`\n- `Cluster.Spec.RancherKubernetesEngineConfig.CloudProvider.VsphereCloudProvider.VirtualCenter.Password`\n- `Cluster.Spec.RancherKubernetesEngineConfig.CloudProvider.OpenstackCloudProvider.Global.Password`\n- `Cluster.Spec.RancherKubernetesEngineConfig.CloudProvider.AzureCloudProvider.AADClientSecret`\n- `Cluster.Spec.RancherKubernetesEngineConfig.CloudProvider.AzureCloudProvider.AADClientCertPassword`\n- `Cluster.Status.ServiceAccountToken`\n- `ClusterTemplate.Spec.ClusterConfig.RancherKubernetesEngineConfig.PrivateRegistries.Password`\n- `ClusterTemplate.Spec.ClusterConfig.RancherKubernetesEngineConfig.Network.WeaveNetworkProvider.Password`\n- `ClusterTemplate.Spec.ClusterConfig.RancherKubernetesEngineConfig.CloudProvider.VsphereCloudProvider.Global.Password`\n- `ClusterTemplate.Spec.ClusterConfig.RancherKubernetesEngineConfig.CloudProvider.VsphereCloudProvider.VirtualCenter.Password`\n- `ClusterTemplate.Spec.ClusterConfig.RancherKubernetesEngineConfig.CloudProvider.OpenstackCloudProvider.Global.Password`\n- `ClusterTemplate.Spec.ClusterConfig.RancherKubernetesEngineConfig.CloudProvider.AzureCloudProvider.AADClientSecret`\n- `ClusterTemplate.Spec.ClusterConfig.RancherKubernetesEngineConfig.CloudProvider.AzureCloudProvider.AADClientCertPassword`\n\n### Patches\nPatched versions include releases 2.5.16, 2.6.7 and later versions.\n\nAfter upgrading to a patched version, it is important to check for the `SecretsMigrated` condition on `Clusters`, `ClusterTemplates`, and `Catalogs` to confirm when secrets have been fully migrated off of those objects and the objects scoped within them (`Notifiers` and `SourceCodeProviderConfigs`).\n\n### Workarounds\nLimit access in Rancher to trusted users. There is not a direct mitigation besides upgrading to the patched Rancher versions.\n\n**Important:**\n- It is highly advised to rotate Rancher's `serviceAccountToken`. This rotation is not done by the version upgrade. Please see the helper script below.\n- The local and downstream clusters should be checked for potential unrecognized services (pods), users and API keys.\n- It is recommended to review for potential leaked credentials in this scenario, that are not directly related to Rancher, and to change them if deemed necessary.\n\nThe script available in [rancherlabs/support-tools/rotate-tokens](https://github.com/rancherlabs/support-tools/blob/master/rotate-tokens) repository can be used as a helper to rotate the service account token (used to provision clusters). The script requires a valid Rancher API token, `kubectl` access to the `local` cluster and the `jq` command.\n\n### Credits\nWe would like to recognize and appreciate Florian Struck (from [Continum AG](https://www.continum.net/)) and [Marco Stuurman](https://github.com/fe-ax) (from [Shock Media B.V.](https://www.shockmedia.nl)) for the responsible disclosure of this security issue.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Reach out to [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries.\n* Open an issue in [Rancher](https://github.com/rancher/rancher/issues/new/choose) repository.\n* Verify our [support matrix](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/).",
   id: "GHSA-g7j7-h4q8-8w2f",
   modified: "2022-09-23T18:11:28Z",
   published: "2022-09-23T18:11:28Z",
   references: [
      {
         type: "WEB",
         url: "https://github.com/rancher/rancher/security/advisories/GHSA-g7j7-h4q8-8w2f",
      },
      {
         type: "ADVISORY",
         url: "https://nvd.nist.gov/vuln/detail/CVE-2021-36782",
      },
      {
         type: "WEB",
         url: "https://bugzilla.suse.com/show_bug.cgi?id=1193988",
      },
      {
         type: "PACKAGE",
         url: "https://github.com/rancher/rancher",
      },
   ],
   schema_version: "1.4.0",
   severity: [
      {
         score: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
         type: "CVSS_V3",
      },
   ],
   summary: "Rancher API and cluster.management.cattle.io object vulnerable to plaintext storage and exposure of credentials",
}

gsd-2021-36782

Vulnerability from gsd

Modified

2023-12-13 01:23

Details

Aliases

CVE-2021-36782

Aliases

CVE-2021-36782

JSON

To clipboard

{
   GSD: {
      alias: "CVE-2021-36782",
      description: "A Cleartext Storage of Sensitive Information vulnerability in SUSE Rancher allows authenticated Cluster Owners, Cluster Members, Project Owners, Project Members and User Base to use the Kubernetes API to retrieve plaintext version of sensitive data. This issue affects: SUSE Rancher Rancher versions prior to 2.5.16; Rancher versions prior to 2.6.7.",
      id: "GSD-2021-36782",
      references: [
         "https://www.suse.com/security/cve/CVE-2021-36782.html",
      ],
   },
   gsd: {
      metadata: {
         exploitCode: "unknown",
         remediation: "unknown",
         reportConfidence: "confirmed",
         type: "vulnerability",
      },
      osvSchema: {
         aliases: [
            "CVE-2021-36782",
         ],
         details: "A Cleartext Storage of Sensitive Information vulnerability in SUSE Rancher allows authenticated Cluster Owners, Cluster Members, Project Owners, Project Members and User Base to use the Kubernetes API to retrieve plaintext version of sensitive data. This issue affects: SUSE Rancher Rancher versions prior to 2.5.16; Rancher versions prior to 2.6.7.",
         id: "GSD-2021-36782",
         modified: "2023-12-13T01:23:16.927035Z",
         schema_version: "1.4.0",
      },
   },
   namespaces: {
      "cve.org": {
         CVE_data_meta: {
            ASSIGNER: "security@suse.com",
            DATE_PUBLIC: "2022-08-19T00:00:00.000Z",
            ID: "CVE-2021-36782",
            STATE: "PUBLIC",
            TITLE: "Rancher: Plaintext storage and exposure of credentials in Rancher API and cluster.management.cattle.io object",
         },
         affects: {
            vendor: {
               vendor_data: [
                  {
                     product: {
                        product_data: [
                           {
                              product_name: "Rancher",
                              version: {
                                 version_data: [
                                    {
                                       version_affected: "<",
                                       version_name: "Rancher",
                                       version_value: "2.5.16",
                                    },
                                 ],
                              },
                           },
                           {
                              product_name: "Rancher",
                              version: {
                                 version_data: [
                                    {
                                       version_affected: "<",
                                       version_name: "Rancher",
                                       version_value: "2.6.7",
                                    },
                                 ],
                              },
                           },
                        ],
                     },
                     vendor_name: "SUSE",
                  },
               ],
            },
         },
         credit: [
            {
               lang: "eng",
               value: "Florian Struck (from Continum AG) and Marco Stuurman (from Shock Media B.V.)",
            },
         ],
         data_format: "MITRE",
         data_type: "CVE",
         data_version: "4.0",
         description: {
            description_data: [
               {
                  lang: "eng",
                  value: "A Cleartext Storage of Sensitive Information vulnerability in SUSE Rancher allows authenticated Cluster Owners, Cluster Members, Project Owners, Project Members and User Base to use the Kubernetes API to retrieve plaintext version of sensitive data. This issue affects: SUSE Rancher Rancher versions prior to 2.5.16; Rancher versions prior to 2.6.7.",
               },
            ],
         },
         generator: {
            engine: "Vulnogram 0.0.9",
         },
         impact: {
            cvss: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "HIGH",
               baseScore: 9.9,
               baseSeverity: "CRITICAL",
               confidentialityImpact: "HIGH",
               integrityImpact: "HIGH",
               privilegesRequired: "LOW",
               scope: "CHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
               version: "3.1",
            },
         },
         problemtype: {
            problemtype_data: [
               {
                  description: [
                     {
                        lang: "eng",
                        value: "CWE-312: Cleartext Storage of Sensitive Information",
                     },
                  ],
               },
            ],
         },
         references: {
            reference_data: [
               {
                  name: "https://bugzilla.suse.com/show_bug.cgi?id=1193988",
                  refsource: "CONFIRM",
                  url: "https://bugzilla.suse.com/show_bug.cgi?id=1193988",
               },
               {
                  name: "https://github.com/rancher/rancher/security/advisories/GHSA-g7j7-h4q8-8w2f",
                  refsource: "CONFIRM",
                  url: "https://github.com/rancher/rancher/security/advisories/GHSA-g7j7-h4q8-8w2f",
               },
            ],
         },
         source: {
            advisory: "https://bugzilla.suse.com/show_bug.cgi?id=1193988",
            defect: [
               "1193988",
            ],
            discovery: "EXTERNAL",
         },
      },
      "gitlab.com": {
         advisories: [
            {
               affected_range: ">=2.5.0 <2.5.16||>=2.6.0 <2.6.7",
               affected_versions: "All versions starting from 2.5.0 before 2.5.16, all versions starting from 2.6.0 before 2.6.7",
               cvss_v3: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
               cwe_ids: [
                  "CWE-1035",
                  "CWE-312",
                  "CWE-937",
               ],
               date: "2022-09-23",
               description: "A Cleartext Storage of Sensitive Information vulnerability in SUSE Rancher allows authenticated Cluster Owners, Cluster Members, Project Owners, Project Members and User Base to use the Kubernetes API to retrieve plaintext version of sensitive data. This issue affects: SUSE Rancher Rancher versions prior to 2.5.16; Rancher versions prior to 2.6.7.",
               fixed_versions: [
                  "2.5.16",
                  "2.6.7",
               ],
               identifier: "CVE-2021-36782",
               identifiers: [
                  "GHSA-g7j7-h4q8-8w2f",
                  "CVE-2021-36782",
               ],
               not_impacted: "All versions before 2.5.0, all versions starting from 2.5.16 before 2.6.0, all versions starting from 2.6.7",
               package_slug: "go/github.com/rancher/rancher",
               pubdate: "2022-09-23",
               solution: "Upgrade to versions 2.5.16, 2.6.7 or above.",
               title: "Cleartext Storage of Sensitive Information",
               urls: [
                  "https://github.com/rancher/rancher/security/advisories/GHSA-g7j7-h4q8-8w2f",
                  "https://nvd.nist.gov/vuln/detail/CVE-2021-36782",
                  "https://bugzilla.suse.com/show_bug.cgi?id=1193988",
                  "https://github.com/advisories/GHSA-g7j7-h4q8-8w2f",
               ],
               uuid: "798694fa-fd66-4f6d-88da-efd1fce62982",
            },
         ],
      },
      "nvd.nist.gov": {
         configurations: {
            CVE_data_version: "4.0",
            nodes: [
               {
                  children: [],
                  cpe_match: [
                     {
                        cpe23Uri: "cpe:2.3:a:suse:rancher:*:*:*:*:*:*:*:*",
                        cpe_name: [],
                        versionEndExcluding: "2.6.7",
                        versionStartIncluding: "2.6.0",
                        vulnerable: true,
                     },
                     {
                        cpe23Uri: "cpe:2.3:a:suse:rancher:*:*:*:*:*:*:*:*",
                        cpe_name: [],
                        versionEndExcluding: "2.5.16",
                        versionStartIncluding: "2.5.0",
                        vulnerable: true,
                     },
                  ],
                  operator: "OR",
               },
            ],
         },
         cve: {
            CVE_data_meta: {
               ASSIGNER: "security@suse.com",
               ID: "CVE-2021-36782",
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "en",
                     value: "A Cleartext Storage of Sensitive Information vulnerability in SUSE Rancher allows authenticated Cluster Owners, Cluster Members, Project Owners, Project Members and User Base to use the Kubernetes API to retrieve plaintext version of sensitive data. This issue affects: SUSE Rancher Rancher versions prior to 2.5.16; Rancher versions prior to 2.6.7.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "en",
                           value: "CWE-312",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://bugzilla.suse.com/show_bug.cgi?id=1193988",
                     refsource: "CONFIRM",
                     tags: [
                        "Exploit",
                        "Issue Tracking",
                        "Mitigation",
                        "Vendor Advisory",
                     ],
                     url: "https://bugzilla.suse.com/show_bug.cgi?id=1193988",
                  },
                  {
                     name: "https://github.com/rancher/rancher/security/advisories/GHSA-g7j7-h4q8-8w2f",
                     refsource: "CONFIRM",
                     tags: [
                        "Exploit",
                        "Mitigation",
                        "Third Party Advisory",
                     ],
                     url: "https://github.com/rancher/rancher/security/advisories/GHSA-g7j7-h4q8-8w2f",
                  },
               ],
            },
         },
         impact: {
            baseMetricV3: {
               cvssV3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 9.9,
                  baseSeverity: "CRITICAL",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "LOW",
                  scope: "CHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                  version: "3.1",
               },
               exploitabilityScore: 3.1,
               impactScore: 6,
            },
         },
         lastModifiedDate: "2023-01-18T14:29Z",
         publishedDate: "2022-09-07T09:15Z",
      },
   },
}

fkie_cve-2021-36782

Vulnerability from fkie_nvd

Published

2022-09-07 09:15

Modified

2024-11-21 06:14

Severity ?

9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Summary

References

URL	Tags
meissner@suse.de	https://bugzilla.suse.com/show_bug.cgi?id=1193988	Exploit, Issue Tracking, Mitigation, Vendor Advisory
meissner@suse.de	https://github.com/rancher/rancher/security/advisories/GHSA-g7j7-h4q8-8w2f	Exploit, Mitigation, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://bugzilla.suse.com/show_bug.cgi?id=1193988	Exploit, Issue Tracking, Mitigation, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/rancher/rancher/security/advisories/GHSA-g7j7-h4q8-8w2f	Exploit, Mitigation, Third Party Advisory

Impacted products

	Vendor	Product	Version
	suse	rancher	*
	suse	rancher	*

JSON

To clipboard

{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:suse:rancher:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "0F219B91-5B6F-460A-A75F-93555ECF2C1A",
                     versionEndExcluding: "2.5.16",
                     versionStartIncluding: "2.5.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:suse:rancher:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "B45FC83F-E91A-4872-996E-72685FBD0AA3",
                     versionEndExcluding: "2.6.7",
                     versionStartIncluding: "2.6.0",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "A Cleartext Storage of Sensitive Information vulnerability in SUSE Rancher allows authenticated Cluster Owners, Cluster Members, Project Owners, Project Members and User Base to use the Kubernetes API to retrieve plaintext version of sensitive data. This issue affects: SUSE Rancher Rancher versions prior to 2.5.16; Rancher versions prior to 2.6.7.",
      },
      {
         lang: "es",
         value: "Una vulnerabilidad de Almacenamiento en Texto sin Cifrar de Información confidencial en SUSE Rancher permite a propietarios de clústeres, los miembros de clústeres, los propietarios de proyectos, los miembros de proyectos y la base de usuarios autenticados usar la API de Kubernetes para recuperar una versión en texto sin cifrar de datos confidenciales. Este problema afecta a: SUSE Rancher versiones anteriores a 2.5.16; Rancher versiones anteriores a 2.6.7",
      },
   ],
   id: "CVE-2021-36782",
   lastModified: "2024-11-21T06:14:05.320",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "HIGH",
               baseScore: 9.9,
               baseSeverity: "CRITICAL",
               confidentialityImpact: "HIGH",
               integrityImpact: "HIGH",
               privilegesRequired: "LOW",
               scope: "CHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
               version: "3.1",
            },
            exploitabilityScore: 3.1,
            impactScore: 6,
            source: "meissner@suse.de",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "HIGH",
               baseScore: 9.9,
               baseSeverity: "CRITICAL",
               confidentialityImpact: "HIGH",
               integrityImpact: "HIGH",
               privilegesRequired: "LOW",
               scope: "CHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
               version: "3.1",
            },
            exploitabilityScore: 3.1,
            impactScore: 6,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2022-09-07T09:15:08.397",
   references: [
      {
         source: "meissner@suse.de",
         tags: [
            "Exploit",
            "Issue Tracking",
            "Mitigation",
            "Vendor Advisory",
         ],
         url: "https://bugzilla.suse.com/show_bug.cgi?id=1193988",
      },
      {
         source: "meissner@suse.de",
         tags: [
            "Exploit",
            "Mitigation",
            "Third Party Advisory",
         ],
         url: "https://github.com/rancher/rancher/security/advisories/GHSA-g7j7-h4q8-8w2f",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Exploit",
            "Issue Tracking",
            "Mitigation",
            "Vendor Advisory",
         ],
         url: "https://bugzilla.suse.com/show_bug.cgi?id=1193988",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Exploit",
            "Mitigation",
            "Third Party Advisory",
         ],
         url: "https://github.com/rancher/rancher/security/advisories/GHSA-g7j7-h4q8-8w2f",
      },
   ],
   sourceIdentifier: "meissner@suse.de",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-312",
            },
         ],
         source: "meissner@suse.de",
         type: "Primary",
      },
   ],
}

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

cve-2021-36782

Vulnerability from cvelistv5

ghsa-g7j7-h4q8-8w2f

Vulnerability from github

Impact

Patches

Workarounds

Credits

For more information

gsd-2021-36782

Vulnerability from gsd

fkie_cve-2021-36782

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature